Running FreeRadius 1.1.0, and I'm wondering if I'm doing something wrong here.
We have some users who have a split tunneling policy configured on their
account for various historical reasons. The entries look like so:
myuser Huntgroup-Name=="Office", Hint==Port-1812, Auth-Type:=Accept
CVPN3000-IPSEC-Split-Tunneling-Policy = 1,
CVPN3000-IPSEC-Split-Tunnel-List = "SPCCOLO_ST",
Class = "OU=AOL-TW", Filter-Id = "SPCCOLO_O"
Unfortunately, the split tunneling attributes aren't being returned by radiusd
to the client (neither the NAS nor radclient). In testing with radclient, I get:
# echo 'User-Name = "myuser", User-Password = "", NAS-IP-Address = 127.0.0.1,
NAS-Port = 1' | /opt/bin/radclient -d /opt/share/dictionary/ -x
127.0.0.1:1812 auth foobar
Sending Access-Request of id 63 to 127.0.0.1 port 1812
User-Name = "myuser"
User-Password = ""
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=63, length=42
Class = 0x4f553d414f4c2d5457
Filter-Id = "SPCCOLO_O"
Our prior GNU radius setup (which I hate) did this just fine, returning:
Sending Access-Request of id 224 to 172.18.165.36 port 1645
User-Name = "myuser"
User-Password = ""
NAS-IP-Address = 172.18.209.18
NAS-Port = 1
rad_recv: Access-Accept packet from host 172.18.165.36:1645, id=224, length=72
Class = 0x4f553d414f4c2d5457
Filter-Id = "SPCCOLO_O"
Vendor-3076-Attr-55 = 0x00000001
Vendor-3076-Attr-27 = 0x535043434f4c4f5f5354
Is there something special I need to do to ensure that the Split-Tunneling
attributes are returned upon successful authentication? Running radiusd in
debug mode doesn't reveal anything obvious to me:
# /opt/reverb/sbin/radiusd -AX
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /opt/reverb/etc/clients.conf
Config: including file: /opt/reverb/etc/proxy.conf
main: prefix = "/opt/reverb"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/opt/reverb/lib"
main: radacctdir = "/var/log/radius"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "reverb"
main: group = "reverb"
main: usercollide = no
main: lower_user = "yes"
main: lower_pass = "no"
main: nospace_user = "before"
main: nospace_pass = "no"
main: checkrad = "/opt/reverb/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 1
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 300
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
listen: port = 1645
listen: type = "auth"
listen: port = 1646
listen: type = "acct"
listen: port = 1812
listen: type = "auth"
listen: port = 1813
listen: type = "acct"
radiusd: entering modules setup
Module: Library search path is /opt/reverb/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "none"
exec: packet_type = "(null)"
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded preprocess
preprocess: huntgroups = "/opt/reverb/etc/huntgroups"
preprocess: hints = "/opt/reverb/etc/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = yes
Module: Instantiated preprocess (preprocess)
Module: Loaded syslog
syslog: hidepasswd = "yes"
syslog: logextra = "(null)"
syslog: logfacility = "local3"
syslog: loglevel = "info"
syslog: logname = "radiusd-auth"
Module: Instantiated syslog (auth_log)
Module: Loaded files
files: usersfile = "/opt/reverb/etc/users"
files: acctusersfile = "/opt/reverb/etc/acct_users"
files: preproxy_usersfile = "/opt/reverb/etc/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
syslog: hidepasswd = "yes"
syslog: logextra = "(null)"
syslog: logfacility = "local3"
syslog: loglevel = "info"
syslog: logname = "radiusd-acct"
Module: Instantiated syslog (acct_log)
syslog: hidepasswd = "yes"
syslog: logextra = "User-Name = %{User-Name},Client-IP-Address =
%{Client-IP-Address},NAS-IP-Address = %{NAS-IP-Address},NAS-Port = %{NAS-Port}"
syslog: logfacility = "local3"
syslog: loglevel = "info"
syslog: logname = "radiusd-auth"
Module: Instantiated syslog (reply_log)
Listening on authentication *:1645
Listening on accounting *:1646
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1647
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:36126, id=68, length=64
User-Name = "myuser"
User-Password = ""
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
rad_rmspace_pair: User-Name now 'myuser'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
hints: Matched DEFAULT at 35
radius_xlat: 'Port-1812'
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "auth_log" returns ok for request 0
users: Matched entry myuser at line 28547
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [myuser] (from client localhost port 1)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
radius_xlat: 'User-Name = myuser,Client-IP-Address = 127.0.0.1,NAS-IP-Address
= 127.0.0.1,NAS-Port = 1'
rlm_syslog: User-Name = %{User-Name},Client-IP-Address =
%{Client-IP-Address},NAS-IP-Address = %{NAS-IP-Address},NAS-Port = %{NAS-Port}
expands to User-Name = myuser,Client-IP-Address = 127.0.0.1,NAS-IP-Address =
127.0.0.1,NAS-Port = 1
modcall[post-auth]: module "reply_log" returns ok for request 0
modcall: leaving group post-auth (returns ok) for request 0
Sending Access-Accept of id 68 to 127.0.0.1 port 36126
Class = 0x4f553d414f4c2d5457
Filter-Id = "SPCCOLO_O"
Finished request 0
Going to the next request
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
